The workpackage is split in two parts: Part 1 analyzes the lifecycle of Universal Windows Apps (UWA) and defines a UWA management process to handle such Apps without connection to the Miccrosoft store.
In the the second part, the Windows Information Protection (WIP) Feature is being analyzed.

• Download Part 1
• Download Part 2

Table of Contents - Part 1

1 Introduction
1.1 Zusammenfassung (german)
1.2 Executive Summary
1.3 Concepts and Terms
2 Technical Analysis
2.1 AppContainer process
2.2 Integrity verification
2.3 Managing third-party UWAs
Appendix
Tools
AppContainer process launcher
PoC: UWA manager
Event IDs
References
Keywords and Abbreviations

Table of Contents - Part 2

1 Introduction
1.1 Zusammenfassung (german)
1.2 Executive Summary
1.3 Concepts and Terms
2 Technical Analysis
3 Logging Capabilities
Appendix
Tools
WIP Policy
EFSRA.CER
Event IDs
Keywords and Abbreviations
References

Summary - Part 1

Windows 10 provides the Universal Windows Platform (UWP) application platform for developing and running user applications on heterogeneous Windows platforms, such as computers, smartphones, X-Box devices, tablets, and so on. These applications are referred to as Universal Windows Applications (UWAs) in this work. At operating system level, UWAs are processes that operate within the AppContainer application execution environment (ms_appi, 2020). In this work, these processes are referred to as AppContainer processes. AppContainer is an application sandbox environment, which implements mechanisms for the restriction of AppContainer processes in terms of what system resources they can access. This restriction is implemented at process-, filesystem- and Windows object-level.

UWAs are distributed to Windows instances for deployment in the form of application package files. Application package files archive multiple files and are formatted in the ZIP archive file format.

This work presents a concept for managing third-party UWAs hosted at a private, on-premise UWA repository, that is, a repository of application package files. The concept serves a demonstration purpose and can be significantly extended. It supports the following main UWA management activities: UWA deployment, UWA uninstallation, and UWA update. These activities are conducted at Windows 10 instances, referred to as Windows clients. The Windows clients communicate with the UWA repository over a network connection, forming a client-server relationship.

Summary - Part 2

WIP enables the protection of data by restricting access to files using a whitelisting approach, based on AppLocker, and protects data stored in files against leakage using encryption, based on the Encrypting File System (EFS). This work package focusses on the file encryption and decryption processes conducted by WIP.

WIP encrypts and decrypts files with a symmetric encryption key, referred to as File Encryption Key (FEK). This key is generated in the context of the Local Security Authority Subsystem Service (LSASS) process and is encrypted using a symmetric key that is assigned to a specific user, that is, the user’s Data Protection Application Programming Interface (DPAPI) key. This binds the FEK to the specific user encrypting the file and therefore, binds the encrypted file to the user. This is effective against accidental data leakage. In addition, the FEK is also encrypted using an asymmetric key pair managed by WIP for recovery purposes, that is, in the scenario where the user’s DPAPI key is lost or revoked. Only the user that has the DPAPI user key, with which the files have been encrypted, or that has the asymmetric key pair for recovery purposes, can decrypt the files.